AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon Cognito Identity

Amazon Cognito Identity (service prefix: cognito-identity) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon Cognito Identity

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
CreateIdentityPool Creates a new identity pool. Write

aws:RequestTag/${TagKey}

aws:TagKeys

aws:ResourceTag/${TagKey}

DeleteIdentities Deletes identities from an identity pool. You can specify a list of 1-60 identities that you want to delete. Write
DeleteIdentityPool Deletes a user pool. Once a pool is deleted, users will not be able to authenticate with the pool. Write

identitypool*

DescribeIdentity Returns metadata related to the given identity, including when the identity was created and any associated linked logins. Read
DescribeIdentityPool Gets details about a particular identity pool, including the pool name, ID description, creation date, and current number of users. Read

identitypool*

GetCredentialsForIdentity Returns credentials for the provided identity ID. Read
GetId Generates (or retrieves) a Cognito ID. Supplying multiple logins will create an implicit linked account. Write
GetIdentityPoolRoles Gets the roles for an identity pool. Read

identitypool*

GetOpenIdToken Gets an OpenID token, using a known Cognito ID. Read
GetOpenIdTokenForDeveloperIdentity Registers (or retrieves) a Cognito IdentityId and an OpenID Connect token for a user authenticated by your backend authentication process. Read

identitypool*

ListIdentities Lists the identities in a pool. List

identitypool*

ListIdentityPools Lists all of the Cognito identity pools registered for your account. List
ListTagsForResource Lists the tags that are assigned to an Amazon Cognito identity pool. List

identitypool

aws:ResourceTag/${TagKey}

LookupDeveloperIdentity Retrieves the IdentityID associated with a DeveloperUserIdentifier or the list of DeveloperUserIdentifiers associated with an IdentityId for an existing identity. Read

identitypool*

MergeDeveloperIdentities Merges two users having different IdentityIds, existing in the same identity pool, and identified by the same developer provider. Write

identitypool*

SetIdentityPoolRoles Sets the roles for an identity pool. These roles are used when making calls to GetCredentialsForIdentity action. Write
TagResource Assigns a set of tags to an Amazon Cognito identity pool. Tagging

identitypool

aws:RequestTag/${TagKey}

aws:TagKeys

aws:ResourceTag/${TagKey}

UnlinkDeveloperIdentity Unlinks a DeveloperUserIdentifier from an existing identity. Write

identitypool*

UnlinkIdentity Unlinks a federated identity from an existing account. Write
UntagResource Removes the specified tags from an Amazon Cognito identity pool. Tagging

identitypool

aws:TagKeys

aws:ResourceTag/${TagKey}

UpdateIdentityPool Updates a user pool. Write

identitypool*

Resources Defined by Amazon Cognito Identity

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
identitypool arn:${Partition}:cognito-identity:${Region}:${Account}:identitypool/${IdentityPoolId}

aws:ResourceTag/${TagKey}

Condition Keys for Amazon Cognito Identity

Amazon Cognito Identity defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the presence of tag key-value pairs in the request. String
aws:ResourceTag/${TagKey} Filters actions based on tag key-value pairs attached to the resource. String
aws:TagKeys Filters access by a key that is present in the request. String